Open 3hhh opened 4 days ago
Hm I just noticed that even with my patch, I'll have to go to some lengths to be able to use the new chain as custom-input
and the new chain are in two different tables (qubes
and qubes-firewall
).
So with the patch it'll be better than the current situation (cannot re-use the dynamic firewall rules at all as one cannot jump to hooked chains), but still not simple - probably I'll have to create another input hook in the qubes-firewall
table and jump to the new chain from there.
On a side note: It is a bit annoying to have to re-open this issue on every git push
.
On a side note: It is a bit annoying to have to re-open this issue on every
git push
.
Just put your changes into some new branch, instead of "main".
The problem you're addressing (if any)
Custom user chains cannot reference Qubes OS VM chains from their code for multiple reasons as custom qubes-firewall user code is only executed once at firewall startup and before Qubes OS creates the VM chains.
This can lead to the
qubes-firewall
to be bypassed in certain configurations.The solution you'd like
Currently the qubes-firewall creates chains such as this one:
Instead, create this:
This allows users to jump to the
forward-dynamic
chain and re-use the Qubes OS rules in their custom setups.The value to a user, and who that user might be
Working
qubes-firewall
even with custom setups.Completion criteria checklist
(This section is for developer use only. Please do not modify it.)